Following a big campaign to remove irritating adware from the Play Store, Google has at least removed 47 of them.
After the security team at Avast found that the apps could have leave Android users with a phone that is constantly being bombarded with unwanted and highly annoying ads, the team at Check Point Research made another discovery saying that 11 of the apps had a tweaked version of the original The Joker malware.
Best known for fraudulently exploiting Android's billing system, which then signs unsuspecting users up to premium-rate services without their permission, The Joker has been around for years, or since at least 2017.
That until Google finally removed 24 apps on Google Play containing the malware in 2019, after they had collectively received more than 472,000 downloads by unsuspecting Android users.
The Joker is type of malware that is used by malicious actors to make money out of unsuspecting users. The new variant however, can also leave devices almost unusable once targeted.
The following apps were found to have The Joker malware inside them:
- com.cheery.message.sendsms.
- com.imagecompress.android.
- com.hmvoice.friendsms.
- com.relax.relaxation.androidsms.
- com.cheery.message.sendsms.
- com.contact.withme.texts.
- com.peason.lovinglovemessage.
- com.file.recovefiles.
- com.LPlocker.lockapps.
- com.remindme.alram.
- com.training.memorygame.
The apps in question had the updated version of The Joker malware, as researchers at Check Point have discovered, were equipped with the Joker Dropper and Premium Dialer spyware.
The new variant uses two components: a Notification Listener service that is part of the original application, and a dynamic DEX file loaded from the C&C server to perform the registration of the user to the services.
Infecting not just illegitimate apps but also legitimate ones, the apps with the updated Joker can also download additional malware to victims' smartphone. This ability makes the new variant a more dangerous one.
According to the researchers, the malware has “adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.”
"In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded."
Android users who have installed any of the apps on their device, need to quickly uninstall them. Users also need to check their bank and billing statement for any sign for fraudulent charges.
They may also want to contact their bank to see whether the charges can possibly be reversed.
The Joker is one of the most widely-used malware. And for this particular reason, its core functionality may remain the same, but its methods keep changing every time.
For future prevention, users need to check on the reviews of each app they want to download. A small number of perfect 5 star reviews and nothing else can be a sign that the reviewers aren’t who they say they are, and that the apps may not be what they claim to be.
On top of that, users should stay safer by simply avoiding third-party app stores to download new apps.
Only install apps if users know that the apps provide the necessary benefit they want. Also avoid apps from small developers and those who are unknown, as the risk of malware on those apps is higher.
Users may also want to install a security solution to prevent future infections.